b"Financial Section\n\n\n\n                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\n                                    Independent Auditors\xe2\x80\x99 Report\n\nSecretary and Inspector General\nU.S. Department of Labor:\n\n\nWe have audited the accompanying consolidated balance sheet of the U.S. Department of Labor (DOL) as of\nSeptember 30, 2006, and the related consolidated statements of net cost, changes in net position, financing, and\ncustodial activity, and the combined statement of budgetary resources for the year then ended; and the statement of\nsocial insurance as of September 30, 2006 (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d). The\nobjective of our audit was to express an opinion on the fair presentation of these consolidated financial statements. In\nconnection with our fiscal year 2006 audit, we also considered DOL\xe2\x80\x99s internal controls over financial reporting,\nRequired Supplementary Stewardship Information, and performance measures, and tested DOL\xe2\x80\x99s compliance with\ncertain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and\nmaterial effect on these consolidated financial statements. The accompanying consolidated financial statements of\nDOL as of September 30, 2005, were audited by other auditors whose report thereon, dated November 10, 2005,\nexpressed an unqualified opinion on those consolidated financial statements, except for the statement of social\ninsurance which they did not audit.\n\nWe have also examined DOL\xe2\x80\x99s compliance with section 803a of the Federal Financial Management Improvement\nAct of 1996 (FFMIA) during the year ended September 30, 2006.\n\nSUMMARY\nAs stated in our opinion on the consolidated financial statements, we concluded that DOL\xe2\x80\x99s consolidated financial\nstatements as of and for the year ended September 30, 2006, are presented fairly, in all material respects, in\nconformity with U.S. generally accepted accounting principles.\n\nAs discussed in our opinion on the consolidated financial statements, in fiscal year 2006, DOL adopted new\naccounting and reporting requirements for earmarked funds and social insurance programs.\n\nOur consideration of internal controls over financial reporting, Required Supplementary Stewardship Information,\nand performance measures resulted in the following conditions being identified as reportable conditions:\n\n        1.    Lack of Strong Application Controls over Access to and Protection of Financial Information\n        2.    Lack of Strong Logical Security Controls to Secure DOL\xe2\x80\x99s Networks and Information\n        3.    Weaknesses Noted over Property, Plant, and Equipment\n        4.    Weaknesses Noted over Grants\n        5.    Weaknesses Noted in the Change Control Process for a Benefits System\n        6.    Weaknesses Noted in Federal Employees Compensation Act Accounting and Financial Reporting\n        7.    Lack of Segregation of Duties over Journal Entries\n        8.    Weaknesses Noted over Payroll Accounting\n        9.    Weaknesses Noted over Budgetary Accounting\n        10.   Weaknesses Noted over Custodial Activities\n\nHowever, none of the reportable conditions are believed to be material weaknesses.\n\n\n                                       KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                       member firm of KPMG International, a Swiss cooperative.\n\n\n\n\n152    United States Department of Labor\n\x0c                                                                                            Independent Auditors\xe2\x80\x99 Report\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements\ndisclosed the following instances of noncompliance or other matters that are required to be reported under\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and Office of Management\nand Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal Financial Statements.\n\n        1. Federal Information Security Management Act (Electronic Government Act of 2002)\n        2. Single Audit Act Amendments of 1996\n        3. Debt Collection Improvement Act of 1996\n\nAs stated in our opinion on DOL\xe2\x80\x99s compliance with FFMIA, we concluded that DOL did not comply, in all material\nrespects, with the Federal financial management systems requirements of FFMIA for the year ended September 30,\n2006, but did comply, in all material respects, with the applicable Federal accounting standards and the United States\nGovernment Standard General Ledger requirements.\n\nThe following sections discuss our opinion on DOL\xe2\x80\x99s consolidated financial statements; our consideration of DOL\xe2\x80\x99s\ninternal controls over financial reporting, Required Supplementary Stewardship Information, and performance\nmeasures; our tests of DOL\xe2\x80\x99s compliance with certain provisions of applicable laws, regulations, contracts, and grant\nagreements; our opinion on the DOL\xe2\x80\x99s compliance with FFMIA; and management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE CONSOLIDATED FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheet of the U.S. Department of Labor as of September 30,\n2006, and the related consolidated statements of net cost, changes in net position, financing, and custodial activity,\nand the combined statement of budgetary resources for the year then ended; and the statement of social insurance as\nof September 30, 2006. The accompanying statements of social insurance as of September 30, 2002 through 2005\nwere not audited by us and, accordingly, we do not express an opinion on them. The accompanying consolidated\nfinancial statements of the U.S. Department of Labor as of September 30, 2005, were audited by other auditors\nwhose report thereon, dated November 10, 2005, expressed an unqualified opinion on those financial statements,\nexcept for the statement of social insurance, which they did not audit.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the\nfinancial position of the U.S. Department of Labor as of September 30, 2006, and its net costs, changes in net\nposition, budgetary resources, reconciliation of net costs to budgetary obligations, and custodial activity for the year\nthen ended, and the financial condition of its social insurance program as of September 30, 2006, in conformity with\nU.S. generally accepted accounting principles.\n\nAs discussed in Note 1.A to the consolidated financial statements, DOL changed its method of reporting earmarked\nfunds to adopt the provisions of the Federal Accounting Standards Advisory Board\xe2\x80\x99s Statement of Federal Financial\nAccounting Standards (SFFAS) No. 27, Identifying and Reporting Earmarked Funds, effective October 1, 2005. In\naddition, as discussed in Note 1.W to the consolidated financial statements, DOL changed its method of reporting its\nsocial insurance program to adopt the provisions of SFFAS No. 25, Reclassification of Stewardship Responsibilities\nand Eliminating the Current Services Assessment, and No. 26, Presentation of Significant Assumptions for the\nStatement of Social Insurance: Amending SFFAS 25, effective October 1, 2005.\n\nAs discussed in Note 1.W to the consolidated financial statements, the statements of social insurance present the\nactuarial present value of DOL\xe2\x80\x99s estimated future income to be received from or on behalf of the participants and\nestimated future expenditures to be paid to or on behalf of participants during a projection period sufficient to\nillustrate long-term sustainability of the social insurance program. In preparing the statements of social insurance,\nmanagement considers and selects assumptions and data that it believes provide a reasonable basis for the assertions\nin the statements. However, because of the large number of factors that affect the statements of social insurance and\nthe fact that future events and circumstances cannot be known with certainty, there will be differences between the\nestimates in the statements of social insurance and the actual results, and those differences may be material.\n\n\n\n\n                                                                    FY 2006 Performance and Accountability Report 153\n\x0cFinancial Section\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis, Required Supplementary Stewardship Information,\nand Required Supplementary Information sections is not a required part of the consolidated financial statements, but\nis supplementary information required by U.S. generally accepted accounting principles and OMB Circular\nNo. A-136, Financial Reporting Requirements. We have applied certain limited procedures, which consisted\nprincipally of inquiries of management regarding the methods of measurement and presentation of this information.\nHowever, we did not audit this information and, accordingly, we express no opinion on it. As a result of such limited\nprocedures, we believe that the Required Supplementary Stewardship Information for Employment and Training\nAdministration and Job Corps omits certain output and outcome measures required by U.S. generally accepted\naccounting principles.\n\nThe information in the Secretary\xe2\x80\x99s Message, Performance Section, and Appendices are presented for purposes of\nadditional analysis and are not required as part of the consolidated financial statements. This information has not\nbeen subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\nOur consideration of internal control over financial reporting would not necessarily disclose all matters in the internal\ncontrol over financial reporting that might be reportable conditions. Under standards issued by the American Institute\nof Certified Public Accountants, reportable conditions are matters coming to our attention relating to significant\ndeficiencies in the design or operation of the internal control over financial reporting that, in our judgment, could\nadversely affect DOL\xe2\x80\x99s ability to record, process, summarize, and report financial data consistent with the assertions\nby management in the consolidated financial statements.\n\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the internal control\ncomponents does not reduce to a relatively low level the risk that misstatements caused by error or fraud, in amounts\nthat would be material in relation to the consolidated financial statements being audited, may occur and not be\ndetected within a timely period by employees in the normal course of performing their assigned functions. Because\nof inherent limitations in internal control, misstatements due to error or fraud may nevertheless occur and not be\ndetected.\n\nIn our fiscal year 2006 audit, we noted certain matters, discussed in Exhibit I, involving the internal control over\nfinancial reporting and its operation that we consider to be reportable conditions. However, none of the reportable\nconditions are believed to be material weaknesses.\n\nWe noted certain additional matters in internal control over financial reporting and its operation that we will report to\nmanagement of DOL in a separate letter.\n\nINTERNAL CONTROLS OVER REQUIRED SUPPLEMENTARY STEWARDSHIP\nINFORMATION AND PERFORMANCE MEASURES\nUnder OMB Bulletin No. 06-03, the definition of material weaknesses is extended to other controls as follows.\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the internal control\ncomponents does not reduce to a relatively low level the risk that misstatements caused by error or fraud, in amounts\nthat would be material in relation to the Required Supplementary Stewardship Information or material to a\nperformance measure or aggregation of related performance measures, may occur and not be detected within a timely\nperiod by employees in the normal course of performing their assigned functions. Because of inherent limitations in\ninternal control, misstatements due to error or fraud may nevertheless occur and not be detected.\n\nOur consideration of the internal control over the Required Supplementary Stewardship Information and the design\nand operation of internal control over the existence and completeness assertions related to key performance measures\nwould not necessarily disclose all matters involving the internal control and its operation related to Required\nSupplementary Stewardship Information or the design and operation of the internal control over the existence and\ncompleteness assertions related to key performance measures that might be reportable conditions.\n\nIn our fiscal year 2006 audit, we noted no matters involving the internal control and its operation related to Required\nSupplementary Stewardship Information that we considered to be material weaknesses as defined above.\n\n154   United States Department of Labor\n\x0c                                                                                            Independent Auditors\xe2\x80\x99 Report\n\nFurther, in our fiscal year 2006 audit, we noted no matters involving the design and operation of the internal control\nover the existence and completeness assertions related to key performance measures that we considered to be\nmaterial weaknesses as defined above.\n\nCOMPLIANCE AND OTHER MATTERS\nOur tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements, as described in\nthe Responsibilities section of this report, exclusive of those referred to in FFMIA, disclosed three instances of\nnoncompliance or other matters that are required to be reported under Government Auditing Standards or OMB\nBulletin No. 06-03, and are described in Exhibit II.\n\nThe results of our tests of compliance with certain provisions of other laws and regulations, exclusive of those\nreferred to in FFMIA, disclosed no instances of noncompliance or other matters that are required to be reported under\nGovernment Auditing Standards or OMB Bulletin No. 06-03.\n\nOther Matter. DOL is currently reviewing three incidents regarding potential violations of the Anti-deficiency Act.\nAs of the date of this report, no final noncompliance determination has been made for any of the three incidents.\n\nWe noted certain additional matters that we will report to management of DOL in a separate letter.\n\nOPINION ON COMPLIANCE WITH FFMIA\nThe Department represented that in accordance with the provisions and requirements of FFMIA, the Secretary of\nLabor determined that the Department of Labor\xe2\x80\x99s financial management systems are in substantial compliance with\nFFMIA.\n\nWe have examined the U.S. Department of Labor\xe2\x80\x99s compliance with section 803a of the Federal Financial\nManagement Improvement Act of 1996 during the fiscal year ended September 30, 2006. Under section 803a of\nFFMIA, DOL\xe2\x80\x99s financial management systems are required to substantially comply with (1) Federal financial\nmanagement systems requirements, (2) applicable Federal accounting standards, and (3) the United States\nGovernment Standard General Ledger at the transaction level. We used OMB\xe2\x80\x99s Revised Implementation Guidance\nfor the Federal Financial Management Improvement Act, dated January 4, 2001, to determine compliance.\n\nOur examination disclosed the following material noncompliance with FFMIA section 803a applicable to the U.S.\nDepartment of Labor during the fiscal year ended September 30, 2006.\n\nDOL\xe2\x80\x99s financial management systems do not comply substantially with Federal financial management system\nrequirements because of certain weaknesses in DOL\xe2\x80\x99s general computer access controls, application access controls,\nand related manual controls. These matters are further described in Exhibit II, Finding No. 4.\n\nIn our opinion, except for the material noncompliance described in the preceding paragraph, the U.S. Department of\nLabor complied, in all material respects, with the aforementioned requirements during the fiscal year ended\nSeptember 30, 2006.\n\n                                                      * * * * *\n\nRESPONSIBILITIES\nManagement\xe2\x80\x99s Responsibilities. The United States Code, Title 31, Sections 3515 and 9106 require agencies to\nreport annually to Congress on their financial status and any other information needed to fairly present their financial\nposition and results of operations. To meet these reporting requirements, DOL prepares and submits financial\nstatements in accordance with OMB Circular No. A-136.\n\nManagement is responsible for the consolidated financial statements, including:\n\n    \xe2\x80\xa2   Preparing the consolidated financial statements in conformity with U.S. generally accepted accounting\n        principles;\n\n                                                                    FY 2006 Performance and Accountability Report 155\n\x0cFinancial Section\n\n      \xe2\x80\xa2    Preparing the Management\xe2\x80\x99s Discussion and Analysis (including the performance measures), Required\n           Supplementary Information, and Required Supplementary Stewardship Information;\n      \xe2\x80\xa2    Establishing and maintaining effective internal control; and\n      \xe2\x80\xa2    Complying with laws, regulations, contracts, and grant agreements applicable to DOL, including FFMIA.\n\nIn fulfilling this responsibility, management is required to make estimates and judgments to assess the expected\nbenefits and related costs of internal control policies.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2006 consolidated financial\nstatements of DOL based on our audit. We conducted our audit in accordance with auditing standards generally\naccepted in the United States of America; the standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin No. 06-03. Those\nstandards and OMB Bulletin No. 06-03 require that we plan and perform the audit to obtain reasonable assurance\nabout whether the consolidated financial statements are free of material misstatement. An audit includes\nconsideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate\nin the circumstances, but not for the purpose of expressing an opinion on the effectiveness of DOL\xe2\x80\x99s internal control\nover financial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n      \xe2\x80\xa2    Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated financial\n           statements;\n      \xe2\x80\xa2    Assessing the accounting principles used and significant estimates made by management; and\n      \xe2\x80\xa2    Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audit provides a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2006 audit, we considered DOL\xe2\x80\x99s internal control over financial reporting\nby obtaining an understanding of DOL\xe2\x80\x99s internal control, determining whether internal controls had been placed in\noperation, assessing control risk, and performing tests of controls in order to determine our auditing procedures for\nthe purpose of expressing our opinion on the consolidated financial statements. We limited our internal control\ntesting to those controls necessary to achieve the objectives described in Government Auditing Standards and OMB\nBulletin No. 06-03. We did not test all internal controls relevant to operating objectives as broadly defined by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to provide an opinion on\nDOL\xe2\x80\x99s internal control over financial reporting. Consequently, we do not provide an opinion thereon.\n\nAs required by OMB Bulletin No. 06-03, in our fiscal year 2006 audit, we considered DOL\xe2\x80\x99s internal control over\nthe Required Supplementary Stewardship Information by obtaining an understanding of the DOL\xe2\x80\x99s internal control,\ndetermining whether these internal controls had been placed in operation, assessing control risk, and performing tests\nof controls. We limited our testing to those controls necessary to test and report on the internal control over Required\nSupplementary Stewardship Information in accordance with OMB Bulletin No. 06-03. However, our procedures\nwere not designed to provide an opinion on internal control over the Required Supplementary Stewardship\nInformation and, accordingly, we do not provide an opinion thereon.\n\nAs further required by OMB Bulletin No. 06-03, in our fiscal year 2006 audit, with respect to internal control related\nto performance measures determined by management to be key and reported in the Management\xe2\x80\x99s Discussion and\nAnalysis and Performance Section, we obtained an understanding of the design of internal controls relating to the\nexistence and completeness assertions and determined whether these internal controls had been placed in operation.\nWe limited our testing to those controls necessary to test and report on the internal control over key performance\nmeasures in accordance with OMB Bulletin No. 06-03. However, our procedures were not designed to provide an\nopinion on internal control over reported performance measures and, accordingly, we do not provide an opinion\nthereon.\n\n\n\n\n156       United States Department of Labor\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n\nAs part of obtaining reasonable assurance about whether DOL\xe2\x80\x99s fiscal year 2006 consolidated financial statements\nare free of material misstatement, we performed tests of DOL\xe2\x80\x99s compliance with certain provisions of laws,\nregulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on\nthe determination of the consolidated financial statement amounts, and certain provisions of other laws and\nregulations specified in OMB Bulletin No. 06-03. We limited our tests of compliance to the provisions described in\nthe preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant agreements\napplicable to DOL. However, providing an opinion on compliance with laws, regulations, contracts, and grant\nagreements was not an objective of our audit and, accordingly, we do not express such an opinion.\n\nOur responsibility also included expressing an opinion on DOL\xe2\x80\x99s fiscal year 2006 compliance with FFMIA section\n803a requirements, based on our examination. Our examination was conducted in accordance with attestation\nstandards established by the American Institute of Certified Public Accountants and the standards applicable to\nattestation engagements contained in Government Auditing Standards issued by the Comptroller General of the\nUnited States and, accordingly, included examining, on a test basis, evidence about DOL\xe2\x80\x99s compliance with the\nrequirements of FFMIA section 803a and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our examination provides a reasonable basis for our opinion. Our examination does\nnot provide a legal determination on DOL\xe2\x80\x99s compliance with specified requirements.\n\nRESTRICTED USE\nThis report is intended solely for the information and use of DOL\xe2\x80\x99s management, DOL\xe2\x80\x99s Office of Inspector General,\nOMB, the U.S. Government Accountability Office, and the U.S. Congress and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\n\n\nNovember 13, 2006\n\n\n\n\n                                                                FY 2006 Performance and Accountability Report   157\n\x0cFinancial Section\n\n\n1. Lack of Strong Application Controls Over Access to and Protection of Financial Information\n      In fiscal years (FY) 2004 and 2005, the Office of Inspector General (OIG) reported consistent weaknesses across\n      the Department of Labor\xe2\x80\x99s (DOL) applications tested in the following application control areas:\n\n          \xe2\x80\xa2   Identification and documentation of supporting environments, such as process flow documentation and\n              mapping;\n          \xe2\x80\xa2   Application password settings, such as passwords that do not adhere to complexity requirements;\n          \xe2\x80\xa2   User access, such as incomplete access request and termination forms;\n          \xe2\x80\xa2   Lack of application segregation of duties policies or enforcement of segregation of duties policies;\n          \xe2\x80\xa2   Periodic user account review and reauthorization, including lack of user authorization, or incomplete\n              authorization documentation;\n          \xe2\x80\xa2   Audit trails, such as lack of monitoring of sensitive application functions and incomplete audit logs; and\n          \xe2\x80\xa2   Controls over output to other applications, including reconciliation of control totals and record counts.\n\n      The OIG recommended that management:\n\n          \xe2\x80\xa2   Verify that specific security weaknesses identified during the audits and communicated to DOL agencies\n              are included in each individual agency\xe2\x80\x99s Plan of Action and Milestones (POA&M), and that appropriate\n              and timely corrective action is taken on the identified weaknesses; and\n          \xe2\x80\xa2   Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to\n              address systemic application control weaknesses in current financial management systems.\n\n      From current year testing, we found the continued presence of numerous weaknesses in the information\n      protection controls over applications. We identified 43 prior year recommendations, 35 from the Office of the\n      Chief Financial Officer (OCFO), 6 from the Employment and Training Administration (ETA), and 2 from the\n      Employment Standards Administration (ESA), related to application controls that have not been corrected. The\n      specific nature of these weaknesses, their causes, and the systems impacted by them have been separately\n      communicated to management.\n\n      These findings are a result of a breakdown in the implementation and monitoring of Departmental processes and\n      procedures for application controls. These application control weaknesses could lead to users with inappropriate\n      access to financial systems; inefficient processes; lack of completeness, accuracy, or integrity of financial data;\n      and/or the lack of detection of unusual activity within financial systems. In addition, as a result of these\n      weaknesses, DOL is not in full compliance with the Federal Information Security Management Act (FISMA)\n      passed as part of the Electronic Government Act of 2002.\n\n      Management believes that it has made substantial progress during FY 2006 to strengthen application security\n      controls in response to the OIG\xe2\x80\x99s prior year recommendations. Management also believes that its financial\n      system, the Department of Labor Accounting and Related Systems (DOLAR$) has sufficient compensating\n      controls to address the deficiencies identified by the OIG.\n\n2. Lack of Strong Logical Security Controls to Secure DOL\xe2\x80\x99s Networks and Information\n      Since FY 2001, the OIG identified and reported continuing weaknesses with DOL\xe2\x80\x99s technical security standards\n      and policies; access controls; and segregation of duties. The OIG recommended that management:\n\n          \xe2\x80\xa2   Verify that specific security weaknesses identified during the audits are communicated to DOL agencies\n              and included in each individual agency\xe2\x80\x99s POA&M, and that appropriate and timely corrective action is\n              taken on the identified weaknesses; and\n          \xe2\x80\xa2   Coordinate efforts among the DOL agencies to develop and/or enforce procedures and controls to\n              address logical security control weaknesses on current financial management systems.\n\n\n\n\n158     United States Department of Labor\n\x0c                                                                                          Independent Auditors\xe2\x80\x99 Report\n                                                                                                Reportable Conditions\n                                                                                                             Exhibit I\n\n\n   DOL continues to lack strong logical security controls to secure its networks and information. Current year\n   testing showed that improvements are still needed in the following areas:\n\n       \xe2\x80\xa2   Technical security standards and policies need to be updated and implemented to include stronger logical\n           security controls. Specifically, patches need to be applied to systems in a timely manner, unnecessary\n           services need to be disabled, and access to sensitive files and directories needs to be restricted.\n       \xe2\x80\xa2   Segregation of duties policies need to be created and enforced for general support systems of financial\n           applications.\n       \xe2\x80\xa2   Access controls need to be improved concerning account management, passwords, and audit log reviews.\n\n   We identified 55 prior year recommendations (7 related to the OCFO, 12 related to ETA, 23 related to ESA, and\n   13 related to the Office of the Assistant Secretary for Administration and Management (OASAM)) addressing\n   logical security controls that have not been corrected. Additionally, 24 new recommendations related to logical\n   security controls were issued in FY 2006 (8 related to ETA, 6 related to ESA, and 10 related to OASAM). The\n   specific nature of these weaknesses, their causes, and the systems impacted by them have been separately\n   communicated to management.\n\n   These findings are a result of a breakdown in the implementation and monitoring of Departmental processes and\n   procedures for logical security controls. These logical security control weaknesses could lead users to gain\n   unauthorized access to the agency applications and data, and allow users to potentially modify or disclose agency\n   data. Additionally, individuals who have the ability to perform incompatible job duties could perform fraudulent,\n   malicious, or accidental actions that could result in unauthorized access, disclosure, and/or modification of DOL\n   data. As a result of these weaknesses, DOL is not in full compliance with FISMA.\n\n   Management believes it has made substantial progress to improve its logical security controls and plans to\n   implement additional corrective actions to address remaining recommendations in FY 2007. Management also\n   believes compensating controls within DOLAR$ address the weaknesses identified related to logical security\n   controls.\n\n3. Weaknesses Noted Over Property, Plant and Equipment\n   DOL did not consistently implement or follow policies and procedures designed to ensure that property, plant\n   and equipment (PP&E) balances, including construction-in-progress, are stated in accordance with Federal\n   accounting standards.\n\n   Internal-Use Software\n   In FY 2005, the OIG identified that DOL has not capitalized all project costs, such as (1) direct salary and fringe\n   benefit costs of Federal employees involved, and (2) related indirect costs such as overhead, rent, and travel, in\n   accordance with Statement of Federal Financial Accounting Standard (SFFAS) No. 10, Accounting for Internal\n   Use Software, for all of its internal-use software. The OIG recommended the OCFO again notify DOL agencies\n   of their requirements to account for costs related to internal-use software and monitor to ensure they properly\n   account for these costs in accordance with Federal and departmental requirements.\n\n   During FY 2006, the OCFO re-issued relevant guidance to the agencies and conducted a meeting with the\n   agencies. Although the OCFO has informally been communicating with the agencies to monitor the\n   implementation of this guidance, no documentation exists to support this monitoring and the OCFO did not\n   maintain a listing of internal use software projects in development. In addition, no one in the OCFO has been\n   designated to be responsible for DOL\xe2\x80\x99s internal use software accounting and reporting.\n\n   We also noted that although the guidance issued discusses transaction codes used to record related indirect costs,\n   the guidance does not provide detailed enough instructions on how indirect costs related to internal use software\n   should be captured, calculated, and documented. Additionally, the OCFO has not developed an analysis to\n   support its position that the amount of indirect costs associated with the development of internal-use software is\n   not material to the financial statements.\n\n\n                                                                  FY 2006 Performance and Accountability Report   159\n\x0cFinancial Section\n\n\n      In addition to the open prior year recommendation, we recommend that management designate an official to be\n      responsible for internal-use software accounting and reporting and to perform certain procedures in this role.\n\n      Management believes it made substantial progress to capitalize internal use software in response to the OIG\xe2\x80\x99s\n      previous recommendations. In FY 2006, management provided guidance and assistance, as well as monitored\n      DOL agencies to ensure they properly capitalized internal use software. Management does not agree that DOL\n      did not capitalize software development costs. For example, costs for the new accounting system have been\n      capitalized, which include federal employee\xe2\x80\x99s salaries, travel, rent, and other costs. Management agreed to\n      enhance procedures to compare the internal-use software assets recorded in the Capitalized Asset Tracking and\n      Reporting System (CATARS) to the amounts reported by the agencies and will perform, document, and maintain\n      an analysis of indirect cost associated with software in development to determine whether these costs are\n      material.\n\n      Job Corps Property\n      In the FY 2004 and FY 2005 audits, the OIG reported that ETA did not sufficiently use DOL\xe2\x80\x99s subsidiary ledger,\n      the CATARS, as a complete property management system in accordance with the CATARS user guide. The OIG\n      also found that ETA did not establish sufficient controls to ensure that Job Corps\xe2\x80\x99 capitalized real property was\n      accurately reported in CATARS and in the Department of Labor Accounting and Reporting System (DOLAR$),\n      DOL\xe2\x80\x99s general ledger system. The OIG recommended that management record property transactions timely and\n      make other improvements over accounting for real property.\n\n      In the FY 2006 audit, we noted the recurrence of many issues identified in prior audits, and we identified several\n      new property-related issues including untimely transfer of acquisitions from the CATARS holding account,\n      incorrect valuation of land transferred from other Federal agencies, and lack of documented analysis supporting\n      the rationale for leased Job Corps facilities not being recorded as capital leases and property.\n\n      We believe that many of these issues stem from the fact that the ETA Capitalized Asset Management Officer\n      (CAMO) position remained vacant for much of the fiscal year under audit. Additionally, during FY 2006, the Job\n      Corps program was transferred from ETA to the Office of the Secretary.\n\n      In addition to the open prior year recommendations, we recommend that management take further actions to\n      improve accounting for Job Corps property.\n\n      Management believes it made significant progress towards closing the FY 2004 audit finding by implementing\n      procedural changes in the documentation of Job Corps facilities and the recording of substantially completed\n      construction projects into CATARS. Management suspended the implementation of many of these changes after\n      Hurricane Katrina destroyed the New Orleans and Gulfport Job Corps Centers. Management has initiated a full\n      scale review of the Job Corps program policies and procedures, which will result in the implementation of\n      corrective action that will bring the recording of Job Corps assets into compliance with Departmental and Federal\n      government standards.\n\n      Other Property\n      Our FY 2006 audit testing disclosed the following DOL-wide property issues:\n\n          \xe2\x80\xa2   Abnormal balances (e.g., items which appear to be below the applicable capitalization threshold and\n              negative additions on the PP&E rollforward schedule) exist in CATARS that should be researched and\n              resolved.\n          \xe2\x80\xa2   Reconciliations between CATARS and the general ledger are not performed timely.\n          \xe2\x80\xa2   Documentation to support certain PP&E-related transactions or balances was not readily available or did\n              not exist.\n          \xe2\x80\xa2   For additions other than construction-in-progress, we noted 5 instances where an obligating document\n              was signed by an unauthorized person, and 1 instance where the Contracting Officer signed an obligating\n              document in excess of the officer\xe2\x80\x99s warrant authority.\n          \xe2\x80\xa2   We identified 12 capitalized PP&E additions for which the unit cost was below the capitalization\n              threshold.\n\n\n\n160     United States Department of Labor\n\x0c                                                                                           Independent Auditors\xe2\x80\x99 Report\n                                                                                                 Reportable Conditions\n                                                                                                              Exhibit I\n\n\n       \xe2\x80\xa2   We noted 6 capitalized items that represented costs incurred after the software was placed in service and\n           were not software enhancements. These costs should have been expensed in accordance with U.S.\n           generally accepted accounting principles.\n       \xe2\x80\xa2   We identified 5 items related to software that were capitalized based on obligations rather than costs.\n       \xe2\x80\xa2   Physical inventories are not being adequately performed and documented. Of the 1,763 physical\n           inventory reports we requested, 1,485 were not provided to us. In addition, 30 of the reports we reviewed\n           were not certified by the Accountable Property Officer (APO).\n\n   In addition, we tested a DOL-wide statistical sample of 200 assets to verify the assets existed and were in usable\n   condition. For 40 of the 200 items, DOL could not provide timely and adequate evidence of the asset\xe2\x80\x99s existence\n   and use. For 5 of the 200 items, the evidence provided indicated the asset had been transferred or disposed of,\n   and for 9 of the 200 items, the evidence provided indicated the asset was no longer in usable condition. These 54\n   errors noted represented assets with a total cost of $21,315,130 and accumulated depreciation of $14,832,034.\n   When projected to the entire population of assets, the projected misstatement is $81,527,396 of cost and\n   $66,594,051 of accumulated depreciation. These errors were partially caused by DOL\xe2\x80\x99s inability to readily\n   identify an asset based on the inventory number, serial number, or description in CATARS. We noted that the\n   inventory numbers and serial numbers on the assets were not consistently recorded in CATARS. In addition,\n   some errors resulted from the inventory certification process not adequately identifying assets that no longer exist\n   or that are no longer in usable condition. DOL management considered the identified differences to be\n   immaterial to the FY 2006 consolidated financial statements, and as such, these differences were included in the\n   Summary of Unadjusted Audit Differences attached to management\xe2\x80\x99s FY 2006 representation letter.\n\n   We recommend that management develop and implement policies and procedures, or enhance and enforce\n   existing policies and procedures, related to abnormal balances in CATARS, reconciliations between CATARS\n   and the general ledger, proper recording of acquired and disposed assets in CATARS, document maintenance\n   and retention, obligation approvals, proper capitalization, and physical inventories.\n\n   Management is ensuring that the required reconciliation procedures are now being performed and will strengthen\n   procedures to ensure that assets are being recorded with the proper inventory number and proper serial number in\n   CATARS, and that records of assets are being maintained such that each asset can be readily identified and\n   located. Instructions will be provided so that during physical inventories, assets that are no longer in usable\n   condition are identified and properly disposed of in CATARS.\n\n4. Weaknesses Noted Over Grants\n   Grant Accrual Preparation and Validation\n   The ETA grant accrual process for the fiscal year-end and quarter-end accruals takes a snapshot of general ledger\n   data for all ETA grants at the end of the period and calculates, at the individual grant level, the probable costs\n   incurred based on the amount of drawdowns recorded at the end of the period. An accuracy analysis is performed\n   on an annual basis to compare the actual costs reported by the grantees to the previous year-end\xe2\x80\x99s accrual. During\n   our FY 2006 audit work, we identified segregation of duties weaknesses related to the ETA grant accrual and\n   validation process, and we determined that procedures for the ETA grant accrual and validation process were not\n   documented.\n\n   Per the U.S. Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\n   Government, \xe2\x80\x9cKey duties and responsibilities need to be divided or segregated among different people to reduce\n   the risk of error or fraud. This should include separating the responsibilities for authorizing transactions,\n   processing and recording them, reviewing the transactions, and handling any related assets. No one individual\n   should control all key aspects of a transaction or event.\xe2\x80\x9d Additionally, \xe2\x80\x9cThe documentation should appear in\n   management directives, administrative policies, or operating manuals and may be in paper or electronic form. All\n   documentation and records should be properly managed and maintained.\xe2\x80\x9d\n\n\n\n\n                                                                  FY 2006 Performance and Accountability Report    161\n\x0cFinancial Section\n\n\n      Without a proper management review of the quarterly grant accrual and annual accuracy analysis, the risk\n      increases that the grant accrual could be misstated in the consolidated financial statements. Additionally, without\n      another employee trained to calculate the quarterly grant accrual using the current accrual methodology, a risk\n      exists that the accrual would not be prepared timely and/or accurately in the event that the Financial Systems\n      Specialist is absent.\n\n      We recommend that management designate and train additional individuals in the grant accrual and validation\n      process to correct this weakness, and that management formally document the grant accrual and validation\n      procedures.\n\n      Management agrees that backup procedures and personnel should be in place for calculating the quarterly grant\n      accrual and for performing the annual accuracy analysis. The financial systems specialist now performs the\n      management review of the accruals. Additional accounting office personnel will be trained to perform the\n      accuracy analysis during FY 2007.\n\n      Controls over Compliance with the Single Audit Act Amendments of 1996\n      DOL has no monitoring procedures in place to ensure that audits of its grantees are completed and reports are\n      received in a timely manner for each grantee that meets the audit threshold in Office of Management and Budget\n      (OMB) Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations. Therefore,\n      DOL cannot be certain that all required audits have been performed in a timely manner.\n\n      In addition, for FY 2006 compliance testing purposes, we selected a sample of DOL grantees that expended\n      $500,000 or more of DOL funding through June 30, 2005. As of September 30, 2006, the latest available OMB\n      Circular No. A-133 audit reports for 5 of the 32 grantees selected were not obtained by DOL for review to\n      determine if any issues related to DOL grants had been reported. According to the Federal Single Audit\n      Clearinghouse website, these 5 audit reports had been completed between the dates of May 7, 2002 and March 5,\n      2006 and were available on the website.\n\n      According to Section 7504 of the Single Audit Act Amendments of 1996, \xe2\x80\x9cEach Federal agency shall, in\n      accordance with guidance issued by the Director under section 7505, with regard to Federal awards provided by\n      the agency\xe2\x80\xa6monitor non-Federal entity use of Federal awards.\xe2\x80\x9d According OMB Circular No. A-133,\n      non-Federal entities that expend $500,000 or more in a year in Federal awards shall have a single or program-\n      specific audit conducted for that year. In addition, OMB Circular No. A-133, Subpart D, section 400(c) requires\n      the Federal awarding agency to \xe2\x80\x9cperform the following for the Federal awards it makes: \xe2\x80\x9cEnsure that audits are\n      completed and reports are received in a timely manner and in accordance with the requirements of this\n      part\xe2\x80\xa6Issue a management decision on audit findings within six months after receipt of the audit report and\n      ensure that the recipient takes appropriate and timely corrective action.\xe2\x80\x9d\n\n      DLMS 8 \xe2\x80\x93 Audits and Investigations, dated July 7, 2004, paragraph 503 states, \xe2\x80\x9cDOL Program Official(s) shall\n      promptly evaluate OIG report findings and recommendations and determine appropriate action\xe2\x80\xa6The Office of\n      Inspector General will directly receive all Single Audit Act reports required to be submitted to DOL.\xe2\x80\x9d\n\n      If no procedures are in place to ensure all audit reports that are required to be completed are received by DOL,\n      DOL cannot determine if an audit report is missing or overdue. Additionally, DOL is not in full compliance with\n      OMB Circular No. A-133, and questioned costs may have been reported for DOL programs of which DOL is not\n      aware.\n\n      We recommend that management develop and implement a tracking system to identify each grantee for which an\n      OMB Circular No. A-133 audit is required and the date that the audit report is due. DOL should update DLMS to\n      specifically identify which agencies are responsible for populating and maintaining this tracking system and for\n      following-up with grantees when audit reports become overdue. In addition, we recommend that management\n      implement a formal policy or process that defines which agency is responsible to monitor the Federal Single\n      Audit Clearinghouse website for completed DOL grantee audit reports and retrieve them from the website for\n      subsequent review.\n\n\n\n\n162     United States Department of Labor\n\x0c                                                                                           Independent Auditors\xe2\x80\x99 Report\n                                                                                                 Reportable Conditions\n                                                                                                              Exhibit I\n\n\n   Management believes that it is in compliance with OMB Circular No. A-133 as it relates to completion of\n   required audits or follow-up on any questioned costs. The 5 reports noted by the auditor did not contain any\n   findings related to DOL. However, management agrees that the procedures should be strengthened and will\n   coordinate with appropriate agencies to develop and implement changes as recommended above, as appropriate.\n\n5. Weaknesses Noted in the Change Control Process for a Benefits System\n   A documented and standard process for requesting, reviewing, developing, testing, and approving changes to an\n   ESA benefits system was not in place prior to February 2006. While change control procedures were established\n   and documented in February 2006, the procedures were inconsistently followed during the months of February\n   and March 2006. We noted various weaknesses in our judgmental sample of 30 changes in the two month period.\n   Additionally, procedures have not been established for priority and emergency changes or changes to the system\n   test environment.\n\n   Management stated that the system was recently implemented, and management had not finalized change control\n   procedures and was informally processing change control requests and approvals. Additionally, since procedures\n   were implemented in February 2006, management has not had sufficient time or resources to ensure that the\n   policy is being consistently followed. Furthermore, management believed that the procedures were sufficient to\n   cover priority and emergency changes at the time the procedures were implemented.\n\n   The DOL Computer Security Handbook, volume 6, System Security Planning for Major Applications\xe2\x80\x9d, section\n   4.6, page 37, states that controls must be used to \xe2\x80\x9cmonitor the installation of, and updates to, hardware, operating\n   system software, and other software to ensure that the hardware and software function as expected, and that a\n   historical record is maintained of application changes.\xe2\x80\x9d Additionally, the guidance states:\n\n       These controls may also be used to ensure that only authorized software is installed on the system. Such\n       controls may include a hardware and software configuration policy that grants managerial approval (re-\n       authorize processing) to modifications and requires that changes be documented.\n\n   The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64, Security\n   Considerations in the Information System Development Life Cycle, section 2.3.4.1, page 23, states:\n\n       Configuration management and configuration control procedures are critical to establishing an initial\n       baseline of hardware, software, and firmware components for the information system and subsequently\n       controlling and maintaining an accurate inventory of any changes to the system.\n\n   Without a proper change control process regarding the flow of changes from development to production,\n   unauthorized and potentially inaccurate program changes may be implemented into the production environment.\n   Without formal acceptance of application changes, program management cannot be assured that the changes\n   made meet their needs and are appropriate for the environment. In addition, as a result of these weaknesses, DOL\n   is not in full compliance with FISMA.\n\n   As a result of our findings, management researched the 30 changes and determined the changes were\n   appropriately performed.\n\n   We recommend that management develop and/or enforce procedures and controls to address identified change\n   control weaknesses.\n\n   Management agrees to include in its Plan of Action and Milestones (POA&M) security weaknesses identified in\n   the report, together with corrective action to be taken and milestone dates. Management has also developed\n   system-specific change control procedures and has updated documentation of approved, tested, and installed\n   system changes. Additionally, management has begun enforcing and will continue to enforce requirements for\n   documentation of approval, indication of release, and integration and IV & V testing.\n\n\n\n\n                                                                  FY 2006 Performance and Accountability Report    163\n\x0cFinancial Section\n\n\n6. Weaknesses Noted in Federal Employees Compensation Act (FECA) Accounting and Financial\n   Reporting\n      DOL did not implement or consistently follow its existing management review procedures related to year-end\n      activity reconciliations and continuing FECA eligibility.\n\n      FECA Reconciliations\n      The OCFO does not adequately reconcile (1) the general ledger to the FECA subsidiary ledgers (FECA history\n      databases), and ESA does not adequately reconcile (2) the FECA history databases to the charge-back report that\n      is derived from the history databases and used to bill FECA customer agencies. We noted a reconciling\n      difference of roughly $76 million in (1) above and a difference of $17 million in (2) above. Although DOL\n      management has management review controls in place, they do not sufficiently follow-up on and resolve\n      differences through an adequate reconciliation process.\n\n      Per the GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, \xe2\x80\x9cControl activities occur at all levels\n      and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations,\n      verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of\n      related records which provide evidence of execution of these activities as well as appropriate documentation.\xe2\x80\x9d\n\n      We recommend that management develop and implement quarterly procedures to reconcile the FECA benefit\n      program expenses to the general ledger and quarterly ESA procedures to adequately reconcile the FECA history\n      databases to the charge-back reports.\n\n      Management concurs and will develop and implement formal reconciliation procedures to ensure that the FECA\n      benefit program expenses are reconciled to the general ledger and that the chargeback reports are reconciled to\n      the payment histories.\n\n      Management Review of Year-end Accrual\n      DOL prepares a schedule, Liability for Current Federal Employees Compensation Act Benefits, as of September\n      30, which is available to other Federal agencies before fiscal year end via the internet. This information is\n      necessary for other Federal agencies to record a liability for fourth quarter benefit payments, which is owed to\n      DOL. The DOL OCFO uses an estimation process to prepare this schedule.\n\n      Management does not have procedures in place to review the estimate for the fourth quarter. The estimate for the\n      FY 2006 fourth quarter DOL receivable based on the Liability for Current Federal Employees Compensation Act\n      Benefits schedule differed from the actual DOL receivable by approximately $96 million. This variance primarily\n      resulted from an extra payment cycle in the fourth quarter of FY 2006 for which the estimation model did not\n      account. Had management performed a detailed review of the OCFO estimate, management may have identified\n      that the extra payment cycle was not accounted for in the fourth quarter estimate and requested a correction prior\n      to the posting of the estimate information on the internet.\n\n      Per the GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, \xe2\x80\x9cKey duties and responsibilities need\n      to be divided or segregated among different people to reduce the risk of error or fraud. This should include\n      separating the responsibilities for authorizing transactions, processing and recording them, reviewing the\n      transactions, and handling any related assets. No one individual should control all key aspects of a transaction or\n      event.\xe2\x80\x9d\n\n      We recommend that management develop and implement procedures for management review of the OCFO\n      estimates prior to posting of the estimates on the internet and refine the estimation methodology so that it will\n      more accurately account for varying payment cycles.\n\n      Management will develop and implement procedures to formally review the amounts to be posted and will\n      review and refine the methodology as needed.\n\n\n\n\n164     United States Department of Labor\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n                                                                                              Reportable Conditions\n                                                                                                           Exhibit I\n\n\n   Delinquent Forms CA-1032, Request for Information on Earnings, Dual Benefits, Dependents and Third\n   Party Settlement Form\n   DOL policy requires FECA claimants to annually certify their earnings information and dependent status on a\n   Request for Information on Earnings, Dual Benefits, Dependents and Third Party Settlements Form (CA-1032).\n   This information is used to determine if any changes are necessary to a claimant\xe2\x80\x99s benefit amount.\n\n   Our tests of operating effectiveness noted that Claims Examiners (CE) were not consistently following-up with\n   claimants to ensure that a CA-1032 was received annually for each claimant, as applicable; however, payments\n   continued to be made to non-responsive claimants. ESA management identified the use of the Periodic Eligibility\n   Review (PER) screen capabilities in iFECS as a key control to ensure claimant case files are current. The iFECS\n   PER screen tracks CA-1032 status and documents CA-1032 receipt and review. However, iFECS does not have\n   automated reminders to identify outstanding CA-1032 receipts. For 4 of the 188 disbursements tested, we noted a\n   completed CA-1032 was not returned by the claimant and the CE did not follow the FECA Procedure Manual in\n   following up on the unreturned CA-1032. Without these completed forms, an increased opportunity exists for\n   incorrect payments to be made to claimants in situations where they are either no longer eligible for\n   compensation or are eligible for increased or reduced compensation, based on their earnings, marital status,\n   and/or dependent status, and have not had their information updated in iFECS.\n\n   We also noted that 2 of the 188 disbursements tested were made for inaccurate amounts because of inadequate\n   CE reviews of received CA-1032s. The two claimants had provided sufficient information on the CA-1032,\n   noting that they no longer had a spouse or dependents; however, the payments tested identified that they\n   continued to be paid at the higher rate that would apply for a claimant with dependents and/or a spouse.\n\n   System controls and reminders should be in place to monitor the status of CA-1032 requests. Once CEs begin to\n   use the PER screen consistently, a report could be written that would provide a list of those claimants for which\n   CA-1032s have not been received, which would facilitate more timely follow-up by the CEs and supervisory\n   staff.\n\n   We have noted that management has taken action on these issues. Specifically, management has made\n   enhancements to the PER screen within iFECS and is updating its policies to make the appropriate use of the\n   PER screen a mandatory requirement.\n\n   We recommend that management utilize the PER screen within iFECS to track CA-1032 status and document\n   their receipt and review using a system configuration or manual control and require supervisory review of CE\n   receipt and review of CA-1032 forms.\n\n   Management believes that with the successful implementation of the enhancements to the Periodic Eligibility\n   Review (PER) screen within iFECS on March 31, 2006, in fulfillment of the response to a prior year finding, the\n   issue was resolved. It is management\xe2\x80\x99s position that use of the PER resolves the findings related to processing\n   CA-1032s. A bulletin will be created to outline management\xe2\x80\x99s policy on the use of the PER screen and the\n   procedure manual will be updated as it still references claims examiners needing to complete a Form 674.\n\n7. Lack of Segregation of Duties over Journal Entries\n   All DOL agencies are able to enter journal entries into DOLAR$ via transaction codes. Each transaction code\n   consists of one or more journal entries. The respective agency staff member responsible for recording the\n   particular item accesses DOLAR$ and enters the transaction code and the dollar amount of the item. DOLAR$\n   does not require these entries to be recorded and approved by separate individuals before they are posted to the\n   general ledger. Hence, transaction codes and corresponding amounts entered into DOLAR$ are posted without\n   any system-controlled review and approval. We noted this condition through procedures performed at the\n   Occupational Safety and Health Administration (OSHA), OASAM, and the OCFO; these agencies do not have\n   manual compensating review controls to address the related risk.\n\n\n\n\n                                                                 FY 2006 Performance and Accountability Report   165\n\x0cFinancial Section\n\n\n      DOLAR$ was not designed to require journal entries to be electronically approved before amounts entered are\n      posted to the general ledger, and management has not required Department-wide manual review controls to\n      compensate for this condition. By allowing individuals the authority to prepare and approve their own\n      transactions in DOLAR$, the risk increases that a material error would not be prevented or detected and\n      corrected on a timely basis.\n\n      Per the GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, \xe2\x80\x9cKey duties and responsibilities need\n      to be divided or segregated among different people to reduce the risk of error or fraud. This should include\n      separating the responsibilities for authorizing transactions, processing and recording them, reviewing the\n      transactions, and handling any related assets. No one individual should control all key aspects of a transaction or\n      event.\xe2\x80\x9d\n\n      We recommend that management ensures the current general ledger system\xe2\x80\x99s configuration is modified so that\n      journal entries (via transaction codes) entered into the general ledger are required to be approved electronically\n      by an individual other than the preparer before they are posted. This feature should also be incorporated into the\n      design of the planned replacement general ledger system. The agencies that do not currently have manual\n      compensating review controls should implement such controls to address this risk until the system controls have\n      been implemented.\n\n      Management concurs that DOLAR$ does not have a system-controlled approval process and supports the\n      concept of building in automated internal controls into the system that will replace DOLAR$ as long as these\n      controls are reasonable. However, management does not believe that it is feasible or cost effective to retrofit the\n      current system with these controls. Management does not agree with the finding that there are no compensating\n      review controls for the current lack of automated journal voucher review. Overall, the Department believes it has\n      in place adequate compensating controls and will ensure that these procedures are properly documented and\n      improved in FY 2007.\n\n8. Weakness Noted over Payroll Accounting\n      During FY 2006, the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of Chief Financial Officer\n      (OCFO)/National Finance Center (NFC) processed DOL\xe2\x80\x99s payroll. The Fiscal Year 2006 \xe2\x80\x93 Office of the Chief\n      Financial Officer/National Finance Center General Control Review dated September 21, 2006 and issued by the\n      USDA\xe2\x80\x99s Office of Inspector General (Report No. 11401-24-FM) reported a qualified opinion regarding the\n      effectiveness of NFC\xe2\x80\x99s internal controls for the period October 1, 2005 through June 30, 2006. During FY 2006,\n      DOL did not have policies and procedures in place to reconcile the payroll information it submitted to the NFC\n      to that received and processed by the NFC.\n\n      For each FY 2006 pay period, DOL submitted to the NFC payroll information that included all DOL employees\n      for the period, along with their hours worked, leave used, and other payroll related information for the period.\n      The NFC processed the payroll for DOL each period and made available for download a Detail Pay and Deduct\n      Register report for each DOL Human Resources office. We noted that DOL did not utilize these reports to\n      perform reviews or reconciliations of data processed by the NFC, and no other controls were in place during the\n      year to ensure that what was submitted to NFC via Time and Attendance records reconciled to what was shown\n      as paid in the Detail Pay and Deduct Register. The lack of reconciliation controls around the NFC outputs,\n      compounded by the control weaknesses identified at the NFC, increased the risk that payroll-related line items in\n      the FY 2006 financial statements could be misstated because of errors in payroll processing by the NFC.\n\n      Additionally, we noted that the Department of Labor Manual Series (DLMS) 6, Financial Management, Chapter\n      1000, Payroll Accounting, has not been updated since October 1981. However, payroll policies and procedures\n      have changed since 1981, most notably with the change to NFC as DOL\xe2\x80\x99s payroll services provider.\n\n      Federal agencies that use external service providers, such as the NFC, should have controls in place to ensure the\n      accuracy of processing outputs. As stated by the USDA OIG in its FY 2006 Report No. 11401-24-FM, \xe2\x80\x9cThe\n      accuracy and reliability of data processed by OCFO/NFC and the resultant reports rests with the customer agency\n      and any compensating controls implemented by the agencies.\xe2\x80\x9d\n\n\n\n\n166     United States Department of Labor\n\x0c                                                                                        Independent Auditors\xe2\x80\x99 Report\n                                                                                              Reportable Conditions\n                                                                                                           Exhibit I\n\n\n   OMB Circular No. 123, Management\xe2\x80\x99s Responsibility for Internal Control, states, \xe2\x80\x9cApplication control should be\n   designed to ensure that transactions are properly authorized and processed accurately and that the data is valid\n   and complete. Controls should be established at an application\xe2\x80\x99s interfaces to verify inputs and outputs, such as\n   edit checks.\xe2\x80\x9d Additionally, per the GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, \xe2\x80\x9cInternal\n   control should generally be designed to assure that ongoing monitoring occurs in the course of normal\n   operations. It is performed continually and is ingrained in the agency\xe2\x80\x99s operations. It includes regular\n   management and supervisory activities, comparisons, reconciliations, and other actions people take in performing\n   their duties.\xe2\x80\x9d GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government also state, \xe2\x80\x9cThe documentation\n   should appear in management directives, administrative policies, or operating manuals and may be in paper or\n   electronic form. All documentation and records should be properly managed and maintained.\xe2\x80\x9d\n\n   We recommend that management develop and implement policies and procedures to reconcile payroll\n   information provided to the NFC to the payroll information processed by the NFC each pay period. These\n   reconciliations should be documented, reviewed and approved by an appropriate supervisor, and maintained. In\n   addition, management should update DLMS to reflect current payroll-related policies and procedures, and\n   develop and implement a monitoring plan to periodically evaluate and update procedures in the DLMS to ensure\n   the information documented is still appropriate.\n\n   Management believes that it currently has available and uses numerous reports for DOL review and analysis of\n   payroll information, has in place a time and attendance reconciliation that validates what is transmitted to NFC\n   and what is processed, and reviews and reconciles data between DOL Human Resources (HR) and HR data in the\n   National Finance Center\xe2\x80\x99s data base. Management believes that the PeoplePower and NFC edits ensure the\n   accuracy of the data being processed. DLMS 6 \xe2\x80\x93 Chapter 1000 Payroll and Accounting, was updated and\n   circulated to DOL agencies for review in July 2006 and will be issued shortly.\n\n9. Weakness Noted over Budgetary Accounting\n\n   During FY 2006, the OCFO did not complete timely reconciliations related to the Apportionment and\n   Reapportionment Schedules (SF-132) and the Report on Budget Execution and Budgetary Resources (SF-133).\n   During our FY 2006 audit work, we requested reconciliations as of June 30, 2006 of (a) the SF-132 to the\n   SF-133, and (b) the SF-133 to the third quarter Statement of Budgetary Resources. However, these\n   reconciliations were not completed and provided to us until late September 2006. In addition, these\n   reconciliations identified several necessary corrections to amounts posted in the general ledger, and various\n   differences remained unresolved. During FY 2006, the OCFO did not have adequate resources and did not\n   adequately enforce policies to ensure the reconciliations were completed and any identified reconciling items\n   resolved in a timely manner. The lack of timely and complete reconciliations increased the risk that material\n   differences in external reports and in the general ledger may not have been detected and corrected in a timely\n   manner during the year.\n\n   Additionally, we noted that much of the information referenced in DLMS for the Budget Execution process has\n   not been updated since March 2004. OMB Circular No. A-11, Preparation, Submission and Execution of the\n   Budget, has been revised since that time.\n\n   Per the GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, \xe2\x80\x9cControl activities occur at all levels\n   and functions of the entity. They include a wide range of diverse activities such as approvals, authorizations,\n   verifications, reconciliations, performance reviews, maintenance of security, and the creation and maintenance of\n   related records which provide evidence of execution of these activities as well as appropriate documentation.\xe2\x80\x9d\n   Additionally, \xe2\x80\x9cThe documentation should appear in management directives, administrative policies, or operating\n   manuals and may be in paper or electronic form. All documentation and records should be properly managed and\n   maintained.\xe2\x80\x9d\n\n\n\n\n                                                                 FY 2006 Performance and Accountability Report   167\n\x0cFinancial Section\n\n\n      According to OMB\xe2\x80\x99s Circular No. A-136 (July 2006), section II.4.6.11, \xe2\x80\x9c\xe2\x80\xa6 information on the SBR should be\n      consistent with the budget execution information reported on the Report on Budget Execution and Budgetary\n      Resources (SF 133) and with information reported in the Budget of the United States Government to ensure the\n      integrity of the numbers presented\xe2\x80\xa6Consistency between budgetary information presented in the financial\n      statements and the Budget of the United States Government is critical to ensure the integrity of the numbers\n      presented. The FACTS II helps to ensure the consistency of data. The FACTS II data submitted by agencies are\n      USSGL-based trial balances, which are used to populate the SF 133 and the actual column of the Program and\n      Financing Schedule of the Budget.\xe2\x80\x9d In addition, section II.4.62 states \xe2\x80\x9cThe resources reported on this statement\n      shall agree with, and be reconciled to, the total budgetary resources reported for the aggregate of all budget\n      accounts on the SF 133\xe2\x80\xa6The status of budgetary resources reported on this statement shall agree with, and be\n      reconciled to, the total status reported for the aggregate of all budget accounts on the SF 133\xe2\x80\xa6The outlays shall\n      also agree with, and be reconciled to, the aggregate of outlays reported on the SF 133 for the aggregate of all\n      budget accounts.\xe2\x80\x9d\n\n      We recommend that management ensure that current policies and procedures over SF-132 and SF-133\n      reconciliations are enhanced to require (a) quarterly reconciliations be prepared and documented, (b) the\n      completion of documented supervisory reviews over the reconciliations, and (c) the completion of these\n      procedures by a certain date (e.g., 15 days after each quarter-end). In addition, management should update\n      DLMS to reflect current budget-related policies, procedures, and external requirements, and develop and\n      implement a monitoring plan to periodically evaluate and update procedures in the DLMS to ensure the\n      information documented is still appropriate.\n\n      Management believes that due to DOL\xe2\x80\x99s submission process of data to Treasury, any deficiencies would be\n      identified before the trial balance data is submitted through the edit checks of Treasury. Additionally, the OCFO\n      initiated reconciliation of the SF-132 and SF-133 reports on a quarterly basis in FY 2006. Management is\n      working to enhance its current policies and procedures to require that the quarterly reconciliation be completed\n      15 days after each quarter and will require that the reconciliation be fully documented, and will require it to be\n      formally reviewed and approved by management.\n\n10. Weaknesses Noted over Custodial Activities\n      Four DOL agencies are responsible for the assessment and collection of fines and penalties \xe2\x80\x93 ESA, OSHA, the\n      Employee Benefits Security Administration (EBSA), and the Mine Safety and Health Administration (MSHA).\n      During our FY 2006 testing related to the assessment and collection of fines and penalties, we noted the\n      following conditions:\n\n           \xe2\x80\xa2   Controls were not consistently functioning effectively during FY 2006 to notify the employers of debt\n               delinquency timely (18 exceptions in 74 cases tested) or to send notification of outstanding debt to the\n               U.S. Department of Treasury (Treasury) after 180 days (25 exceptions in 52 cases tested that were\n               greater than 180 days outstanding), in accordance with the Debt Collection Improvement Act of 1996.\n               These exceptions were noted at MSHA and OSHA.\n           \xe2\x80\xa2   MSHA and ESA do not write-off debt greater than 2 years old in accordance with OMB Circular No. A-\n               129, Managing Federal Credit Programs.\n           \xe2\x80\xa2   MSHA does not reconcile its subsidiary ledger to the general ledger on a periodic basis. We requested\n               reconciliations of collections between the subsidiary ledger and the general ledger as of June 30, August\n               31, and September 30, 2006, and received none of them timely. The September 30 collections\n               reconciliation, received on November 3, 2006, contained a $650,930 unexplained variance (2.7% of\n               MSHA collections recorded in the general ledger as of September 30, 2006).\n           \xe2\x80\xa2   Since November 2005, one day of interest was omitted from MSHA\xe2\x80\x99s interest calculation each month.\n\n\n\n\n1   Also cited in the August 2005 version of OMB Circular No. A-136, section 6.1.\n2   Also cited in the August 2005 version of OMB Circular No. A-136, sections 6.5 through 6.7.\n\n168      United States Department of Labor\n\x0c                                                                                         Independent Auditors\xe2\x80\x99 Report\n                                                                                               Reportable Conditions\n                                                                                                            Exhibit I\n\n\n    \xe2\x80\xa2   OSHA only records interest receivable when debt letters are sent to employers and when debt is sent to\n        Treasury, and does not ensure that its quarter-end interest receivable balances are appropriately accrued\n        between the time of the last debt letter and the time the debt is sent to Treasury.\n    \xe2\x80\xa2   OSHA collections are not properly cut-off at year-end. $819,126 of FY 2005 collections were posted to\n        DOLAR$ and the SCA in FY 2006, and $1,236,416 of FY 2006 collections were posted to DOLAR$\n        and the SCA in FY 2007.\n\nDOL management considered the identified differences to be immaterial to the FY 2006 consolidated financial\nstatements, and as such, these differences were included in the Summary of Unadjusted Audit Differences\nattached to management\xe2\x80\x99s FY 2006 representation letter.\n\nWe recommend that management develop and implement policies and procedures, or enhance and enforce\nexisting policies and procedures and related systems related to the timely notification to employers of debt\ndelinquency, the timely notification to Treasury of outstanding debt, write-off of debt greater than 2 years old in\naccordance with OMB Circular No. A-129, Managing Federal Credit Programs reconciliation of the MSHA\nsubsidiary ledger to the general ledger on a quarterly basis, accrual of interest receivable on a quarterly basis, and\nrecording of collections received near year-end in the general ledger in the proper fiscal year. In addition,\nmanagement should design, test, and implement changes to MSHA\xe2\x80\x99s subsidiary ledger to correct errors in the\ncalculation of interest and ensure that controls are in place to detect such system errors in the future.\n\nIn FY 2006, DOL updated its procedures for debt management (DLMS 6, Chapter 900); the Chapter is currently\nin the Departmental clearance process. The revised guidance covers transfers of delinquent or defaulted debts to\nthe U.S. Department of the Treasury, Financial Management Service (FMS) for collection and procedures for the\nwrite-off of debt. Management routinely monitors accounts receivable and reviews the agencies\xe2\x80\x99 quarterly\nreports on receivables due from the public to ensure compliance with OMB Circular No. A-129. Management\nwill develop and implement any additional policies and procedures for the management and collection of debts\nand write-offs to ensure compliance with FMS and the OMB Circular No. A-129 requirements, including interest\naccruals, reconciliations, and cut-offs.\n\n\n\n\n                                                                FY 2006 Performance and Accountability Report     169\n\x0cFinancial Section\n\n\n1. Federal Information Security Management Act (Electronic Government Act of 2002)\n      The U.S. Department of Labor (DOL) is required to comply with the Federal Information Security Management\n      Act (FISMA), which was enacted as part of the Electronic Government Act of 2002. FISMA requires the head of\n      each agency to be responsible for (1) providing information security protections commensurate with the risk and\n      magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or\n      destruction of (a) information collected or maintained by or on behalf of the agency; and (b) information systems\n      used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (2)\n      complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines,\n      including information security standards promulgated under section 11331 of title 40. This particular section\n      requires that Federal agencies provide minimum information security requirements as defined by the National\n      Institute of Standards and Technology. We noted instances of non-compliance with FISMA that have been\n      reported in Exhibit I as Reportable Condition Nos. 1, 2 and 5.\n\n      We recommend that DOL follow the recommendations provided in Reportable Condition Nos. 1, 2 and 5 in\n      Exhibit I, and fully implement the requirements of FISMA in fiscal year (FY) 2007.\n\n2. Single Audit Act Amendments of 1996\n      As a grant-making entity, DOL is required to comply with certain provisions of the Single Audit Act Amendments\n      of 1996 and the corresponding Office of Management and Budget (OMB) Circular No. A-133, Audits of States,\n      Local Governments, and Non-Profit Organizations. According to Section 7504 of the Single Audit Act\n      Amendments of 1996, \xe2\x80\x9cEach Federal agency shall, in accordance with guidance issued by the Director under\n      section 7505, with regard to Federal awards provided by the agency\xe2\x80\xa6monitor non-Federal entity use of Federal\n      awards.\xe2\x80\x9d According to Section 400(c) of OMB Circular No. A-133, \xe2\x80\x9cThe Federal awarding agency shall perform\n      the following for the Federal awards it makes\xe2\x80\xa6Ensure that audits are completed and reports are received in a\n      timely manner and in accordance with the requirements of this part\xe2\x80\xa6Issue a management decision on audit\n      findings within six months after receipt of the audit report and ensure that the recipient takes appropriate and\n      timely corrective action.\xe2\x80\x9d\n\n      As discussed in Reportable Condition No. 4 in Exhibit I, DOL lacks monitoring procedures to ensure that audits\n      of its grantees are completed and reports are received in a timely manner for each grantee that meets the audit\n      threshold in OMB Circular No. A-133. Therefore, DOL cannot be certain that all required audits have been\n      performed in a timely manner.\n\n      DOL has established policies and procedures requiring the Office of Inspector General (OIG) to receive OMB\n      Circular No. A-133 audit reports once they are issued, review these reports for findings relevant to DOL grant\n      programs, and distribute any such findings to the applicable DOL agency for response and resolution. However,\n      we noted instances in which the latest available OMB Circular No. A-133 audit reports were not obtained for\n      review as of September 30, 2006 although they were available on the Federal Single Audit Clearinghouse\n      website.\n\n      We recommend that DOL follow the recommendations provided in Reportable Condition No. 4 in Exhibit I in\n      FY 2007.\n\n3. Debt Collection Improvement Act of 1996\n      The Debt Collection Improvement Act of 1996 (DCIA) is intended to significantly enhance the Federal\n      Government\xe2\x80\x99s ability to service and collect debts. Under the DCIA, the U.S. Department of Treasury (Treasury)\n      assumes a significant role for improving government-wide receivables management. According to the DCIA, an\n      agency responsible for collecting debts from the public must \xe2\x80\x9censure that the public is fully informed of the\n      Federal Government's debt collection policies and that debtors are cognizant of their financial obligations to\n      repay amounts owed to the Federal Government.\xe2\x80\x9d Also, according to the DCIA, \xe2\x80\x9cany Federal agency that is\n      owed by a person a past due, legally enforceable nontax debt that is over 180 days delinquent, including nontax\n      debt administered by a third party acting as an agent for the Federal Government, shall notify the Secretary of the\n\n\n\n\n170     United States Department of Labor\n\x0c                                                                                         Independent Auditors\xe2\x80\x99 Report\n                                                                                                 Compliance Matters\n                                                                                                           Exhibit II\n\n\n   Treasury of all such nontax debts for purposes of administrative offset.\xe2\x80\x9d Our tests of compliance disclosed\n   instances where DOL was not in compliance with these provisions of the DCIA. In addition, all DOL agencies do\n   not write-off debt greater than two years old in accordance with OMB Circular No. A-129, Managing Federal\n   Credit Programs. See Exhibit I, Reportable Condition No. 10 for further information.\n\n   We recommend that DOL follow the recommendations provided in Reportable Condition No. 10 in Exhibit I,\n   and develop policies and procedures to ensure full compliance with the DCIA in FY 2007.\n\n4. Federal Financial Management Improvement Act of 1996\n   Under section 803a of FFMIA, DOL\xe2\x80\x99s financial management systems are required to substantially comply with\n   (1) Federal financial management systems requirements, (2) applicable Federal accounting standards, and (3) the\n   United States Government Standard General Ledger at the transaction level. The Department represented that in\n   accordance with the provisions and requirements of FFMIA, the Secretary of Labor determined that the\n   Department of Labor\xe2\x80\x99s financial management systems are in substantial compliance with FFMIA.\n\n   As a result of FY 2006 testing, we concluded that DOL\xe2\x80\x99s financial management systems did not substantially\n   comply with Federal financial management systems requirements.\n\n      \xe2\x80\xa2   In the FY 2006 FISMA report, the DOL OIG identified a significant deficiency related to a system\n          considered a mixed system under OMB guidelines as it supports financial and non-financial systems\n          within DOL, including the Department of Labor Accounting and Reporting System (DOLAR$), DOL\xe2\x80\x99s\n          general ledger system. See OIG Report No. 23-06-015-07-001.\n      \xe2\x80\xa2   Several \xe2\x80\x9chigh\xe2\x80\x9d risk change control and segregation of duties weaknesses related to computer security\n          were identified at the Employment and Training Administration (ETA) and the Employment Standards\n          Administration (ESA) as part of FY 2006 audit work. These weaknesses were identified on systems\n          associated with certain DOL benefits and grants programs. See Exhibit I Reportable Condition No. 1 and\n          5 for further information.\n      \xe2\x80\xa2   Numerous \xe2\x80\x9chigh\xe2\x80\x9d and \xe2\x80\x9cmedium\xe2\x80\x9d risk information technology (IT) general and application control\n          weaknesses related to computer security were identified as part of the IT audit work in FY 2006. These\n          weaknesses impact the IT environments and systems in several large DOL agencies, including the Office\n          of the Chief Financial Officer (OCFO), ETA, ESA, and the Office of the Assistant Secretary for\n          Administration and Management (OASAM). Many of these weaknesses were initially identified in\n          previous years\xe2\x80\x99 audits, and DOL has not taken sufficient corrective action to address them. In summary,\n          DOL was not effective (less than 30%) in closing such prior year IT recommendations. As a result of the\n          number of repeat IT weaknesses still present in the DOL financial control environment, added pressure\n          exists on the mitigating manual controls to be operating effectively at all times. See Exhibit I Reportable\n          Conditions Nos. 1 and 2 for further information.\n      \xe2\x80\xa2   DOLAR$ does not require journal entries (via transaction codes) to be entered and approved by separate\n          individuals before they are posted to the general ledger. Hence, transaction codes and corresponding\n          amounts entered into DOLAR$ are posted without any system-controlled approval. See Exhibit I\n          Reportable Condition No. 7 for further information.\n      \xe2\x80\xa2   Certain procedures in the Department of Labor Manual Series (DLMS) are outdated or should be more\n          comprehensive. See Exhibit I Reportable Condition Nos. 8 and 9 for examples of this condition.\n\n   We recommend that DOL follow the recommendations provided in Reportable Condition Nos. 1, 2, 5, 8 and 9 in\n   Exhibit I, and improve its processes to ensure compliance with the Federal financial management systems\n   requirements of FFMIA in FY 2007.\n\n\n\n\n                                                                              United States Department of Labor   171\n\x0c"